Deny web access to a directory?

[david]

Hi,

I have a asp.net site running on an MS Access database this is, for better
or worse, stored under the webroot.

How can I lockout the database directory to prevent anyone from downloading
it via HTTP?

I have attached my web.config file at the end of this message.

The problem is that the "database" directory is still viewable by anyone.
Not sure why. Do I have a typo?


Thanks,
David


---------------------------------------------



<configuration>

<system.web>
<customErrors mode="Off"/>

<!-- Authentication form -->
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="app-admin/Login.aspx" protection="All"
timeout="999999" path="/app-admin/" />
</authentication>

<!-- Allow anon users to main site -->
<authorization>
<allow users="?" />
</authorization>
</system.web>

<!-- Set up secure zone for app admin -->
<location path="app-admin">
<system.web>

<!-- disallow anon users-->
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

<!-- Set up secure zone for database -->
<location path="database">
<system.web>

<!-- disallow all users-->
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>

</configuration>

[Dominick Baier]

hi,

asp.net handles only the requests that are mapped on aspnet_isapi which are asmx, aspx and some more - other extensions are directly handled by IIS without even entering your application

add another script mapping to IIS for .mdb pointing to exactly the same script handler as .aspx - you could also add a HttpForbiddenHandler to your web/machine.config after that.



---
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]

nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<4D921C30-E888-4D1A-871E-A4984D6456B6@microsoft.com>

Hi,

I have a asp.net site running on an MS Access database this is, for better
or worse, stored under the webroot.

How can I lockout the database directory to prevent anyone from downloading
it via HTTP?

I have attached my web.config file at the end of this message.

The problem is that the "database" directory is still viewable by anyone.
Not sure why. Do I have a typo?


Thanks,
David


---------------------------------------------



<configuration>

<system.web>
<customErrors mode="Off"/>

<!-- Authentication form -->
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="app-admin/Login.aspx" protection="All"
timeout="999999" path="/app-admin/" />
</authentication>

<!-- Allow anon users to main site -->
<authorization>
<allow users="?" />
</authorization>
</system.web>

<!-- Set up secure zone for app admin -->
<location path="app-admin">
<system.web>

<!-- disallow anon users-->
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

<!-- Set up secure zone for database -->
<location path="database">
<system.web>

<!-- disallow all users-->
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>

</configuration>


[microsoft.public.dotnet.framework.aspnet.security]